[Dave Birch] Here's a rather obvious question to ask: will shifting to chip cards reduce the amount of card fraud in the US? You would think so. And it probably will. But it won't reduce all fraud. It will reduce "card present" (CP) face-to-face and automatic vending fraud, but it will increase pressure on "card not present" (CNP) fraud. This inevitable as the criminal classes will not simply abandon their activities in the face of technological change but instead, as they have always done, start probing for weaker links in the payment security fence.
Both Visa and MasterCard stated during today’s event that Oct. 1, 2015 is the date when the responsibility for fraudulent transactions regarding point-of-sale (POS) transactions shifts from the credit card company to the retailer… The liability shift differs among the top two credit card processors when it comes to ATM and automatic fuel dispenser transactions. Retailers will bear the brunt of the liability for such MasterCard transactions starting in 2016, while the liability for such Visa transactions shifts in 2017.
[From Confusion Surrounding EMV Begins to Dissipate – Retail Tech – CSNewsRetailTechnology]
Now that migration to chip is on a firm timetable in the US it is useful, I think, to review the earliest chip migrations that took place and with the wisdom obtained from experience look at ways to make the US migration process smoother, more efficient and better value for the stakeholders.
Chip and PIN, doesn't, of course, get rid of fraud. It is demonstrably successful at reducing certain kinds of fraud and it certainly met its goals for bringing fraud under control. Remember, the UK business case for chip and PIN migration was not based on the level of fraud at the time (although there was an issue with the extent to which the proceeds of that fraud were used to fuel other criminal enterprises, and I accept that the police had a valid point on this) but on what the levels of fraud would rise to in the future unless action was taken. What has actually happened is that UK card fraud peaked back in 2008 (at £610 million) and have since fallen by around half. Without chip and PIN, card fraud might have broken the £1 billion barrier by now.
The figures speak for themselves. UK card fraud in 2010 was the lowest for a decade and is still going down. Counterfeit fraud is down considerably. But what the figures also show is that while overall fraud continues to fall, CNP fraud continues to rise. CNP hasn't shared in the benefits of the infrastructure spending on implementing EMV. When we made the transition to EMV in the UK we had the opportunity to use chip-based security for online transactions as well, but we never took it. Here's what I mean: when I login to my Barclays home banking service, I put my chip and PIN debit card into a little calculator thing that the bank sent me, enter my pin and the device displays a one-time password for use on the web. I only use this for access to home banking but there's no reason (apart from inconvenience – more on this later) that I couldn't use this online for all transactions and therefore obtain significant reductions in online fraud as well as in off-line fraught. That two-factor authentication mechanism could, for example, used for 3D-Secure (3DS) transactions instead of a static password.
So will chip and PIN cause a net increase in US CNP fraud, since it will transfer from the face-to-face environment to the online environment without providing suitable countermeasures? Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I'd say it's clear that this will now never happen. We're not going to add smart card readers to our laptops or mobile phones and we're not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead. The security that having tamper-resistant hardware in the loop brings to transactional environments applies just as much to the SIM card in a mobile phone as it does to the EMV chip on my bank card.
The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash
[From U.S. Leads the World in Credit Card Fraud, states The Nilson Report | Business Wire]
As other countries continue their EMV migration, card fraud in the US will continue to increase. What does this mean for the assault on CNP fraud in the US? Clearly the industry needs to take action. But what? I think we have to look outside the financial sector to develop the roadmap. The solution is to adopt identity management frameworks and standardised authentication techniques that are cross-sector and not to spend any more time on developing industry-specific solutions such as 3D Secure (3DS). If we can decouple the issue of identifying the counterparties to a transaction and authenticating them in a convenient fashion from the issue of executing the payment between them, I think we get the best of both worlds. Yes, CNP fraud is too high in the US and imposes costs on that that stop it from reaching its potential, but new technology is going to help.
If we really want to cut down card fraud then we need to start taking the stripes off of the back of cards and the numbers off of the front of them.
[From Counterfeit card fraud in the US will fall, eventually]
An excellent first step, but in my opinion we need a concerted and infrastructural approach to the problem. Yes, make the cards safer but that not enough if fraudsters can simply take the card numbers and use them online anyway. If you look at what analysts such as Gartner and Forrester are saying, then banks should be looking at OpenIDConnect and NSTIC to plug payments into national infrastructure (an approach which, it seems to me, offers both cost reduction and opportunities for new revenues because card issuers can become identity issuers).
These are the kinds of innovative solution that I'm looking forward to hearing about at the CNP Expo in Orlando, Florida on May 20th-23rd 2013. They've got a great speaker line up with a variety of industry experts (and me) in place. What's more, the good people at CardNotPresent.com, who are behind the expo, have given us a complimentary delegate place to give away on this blog! So if you're going to be in Orlando on 20th-23rd May and would like to come along as a guest of the Tomorrow's Transactions blog, all you have to do is to be the first person to comment on this post with the name of one of the two banks involved as issuer and acquirer and the year of the pilot for Visa and MasterCard's predecessor to 3DS.
Blog readers can also get a 10% discount on registering at CNP Expo with the code 'hyperion10off'.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
David, as always, your analysis is spot on … we need to somehow separate the identity component from the payment stream and make in system and channel agnostic.
As to your question/offer for CNP. If I recall correctly, the predecessor was called SET (Secure Electronic Transaction) protocol and and via a little internet sleuthing to get the year of the test and bank names … Mellon Bank was the acquiring bank in the pilot and Zion’s Bank the issuing bank in the pilot which was launched sometime in early 1998.
[Consult Hyperion] – we have a winner. Bob, I’ll be emailing you
Beware the N in NSTIC.
There are sundry reasons why your Barclay’s dongle might not be appropriate for other authentication – changes to their risk and potential impact on your privacy. If it had been that simple IDAP would have used it.
Not sure I totally agree, 3D Secure has enabled the railroads within the ecommerce eco-system. The UK has shown when implemented right creates a trust environment that consumers feel comfortable and enables imnovation around authentication methods. Using the risk-based approach many banks in the UK are adopting today it provides a relatively decure friction-free experience.
Ripping it out and starting something new isn’t the right way to go, leverage the assets that exist and innovate around them. An example of this includes the scheme led wallets which will provide a security-led proposition but more intuitive for the consumer.
At $1bn, card fraud is less than the RBS bonuses this year. The real fraud is instigated by the banks in the form of LIBOR rigging, money laundering, and risking public money. The losses to the public in money are barely calculable, let alone the social cost. By pretending that credit card fraud is at all serious, you are diverting attention from the serious criminals to the little guys. But hey, I guess it pays the rent.
There are already solutions (41st, iovation, etc) which allow to use mobile phones for authentication that is miles better than 3D – travel industry is fighting CNP fraud quite successfully with those tools.
The problem factor is inertia on the issuers’ part. They eat CNP losses for now without wincing much. That’s why PayPal outdid banks in e-commerce – they understand fraud well, know the pain, and are willing to fight it.